[Samba] FreeBSD 7.2 domain member problem
Ivo Karabojkov
Hi!
I am trying to set a FreeBSD 7.2, Samba 3.3.8 as an AD domain member server.
I am not using LDAP, but idmap_rid. I have properly configured
nsswitch.conf.
Joining to domain and wbinfo -u work OK, but when I try
pw show user -a
I get only user accounts of FreeBSD. So, I cannot set owners, ACLs...
My main source is Samba guide chapter 7:
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#id2597100
All tests from Procedure 7.4 of the guide, except getent (eq. to pw show
user -a) work OK.
It seems that FreeBSD does not use nsswitch. What should I do or what I am
missing?
Thanks in advance fro your help.
--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26204285.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Michael Wood
> I am trying to set a FreeBSD 7.2, Samba 3.3.8 as an AD domain member server.
> I am not using LDAP, but idmap_rid. I have properly configured
> nsswitch.conf.
>
> Joining to domain and wbinfo -u work OK, but when I try
> pw show user -a
> I get only user accounts of FreeBSD. So, I cannot set owners, ACLs...
>
> My main source is Samba guide chapter 7:
> http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#id2597100
> All tests from Procedure 7.4 of the guide, except getent (eq. to pw show
> user -a) work OK.
>
> It seems that FreeBSD does not use nsswitch. What should I do or what I am
> missing?
I have no idea what the problem is, but FreeBSD does seem to use nsswitch:
http://www.freebsd.org/cgi/man.cgi?query=nsswitch.conf&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html
--
Michael Wood <esio...@gmail.com>
Daniel O'Connor
> 2009/11/4 Ivo Karabojkov <i...@kit-bg.com>:
> > I am trying to set a FreeBSD 7.2, Samba 3.3.8 as an AD domain
> > member server. I am not using LDAP, but idmap_rid. I have properly
> > configured nsswitch.conf.
> >
> > Joining to domain and wbinfo -u work OK, but when I try
> > pw show user -a
> > I get only user accounts of FreeBSD. So, I cannot set owners,
> > ACLs...
> >
> > My main source is Samba guide chapter 7:
> > http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#id
> > (eq. to pw show user -a) work OK.
> >
> > It seems that FreeBSD does not use nsswitch. What should I do or
> > what I am missing?
>
> [...]
>
> I have no idea what the problem is, but FreeBSD does seem to use
> nsswitch:
> http://www.freebsd.org/cgi/man.cgi?query=nsswitch.conf&apropos=0&sekt
>ion=0&manpath=FreeBSD+7.2-RELEASE&format=html
It does indeed use nsswitch.
I suggest testing with getent rather than pw. I believe pw only handles
local users/groups (this is a bug ;)
--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
-- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
Ivo Karabojkov
Yes, FreeBSD supports nsswitch and I tried getent passwd - the result is the
same.
Maybe I should show my config files in my previous post, sorry:
smb.conf:
(very similar to Chapter 7, example 7.7 and 7.8 of the Samba Guide)
[global]
# unix charset = LOCALE
workgroup = DOMAIN
realm = domain.local
#
server string = sambaserver.domain.local
security = ADS
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
#printcap name = CUPS
#idmap backend = idmap_rid:DOMAIN=10000-100000000
idmap backend = rid
# ldap ssl = no
idmap uid = 10000-100000000
idmap gid = 10000-100000000
allow trusted domains = No
winbind enum users = yes
winbind enum groups = yes
#
winbind refresh tickets = Yes
winbind nested groups = No
hosts allow = 192.168.1. 10.1.55. 127.0.0.1
interfaces = localhost, nfe0, tun*
bind interfaces only = Yes
case sensitive = No
[pub]
comment = Public
path = /var/samba/pub
guest ok = No
browseable = Yes
nt acl support = Yes
/etc/nsswitch.conf:
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
/etc/pam.d/login:
(I don't think I need this, I don't need AD users to access anything but
some samba shares with ACL, but I keep trying)
# auth
auth sufficient pam_self.so no_warn
auth include system
auth sufficient /usr/local/lib/pam_winbind.so
# account
account requisite pam_securetty.so
account required pam_nologin.so
account include system
account sufficient /usr/local/lib/pam_winbind.so
# session
session include system
# password
password include system
So I'm stil trying, but AD users do not appear in password or group
databases of FreeBSD.
Should I try LDAP?
--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26222348.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
Daniel O'Connor
> group: files winbind
> group_compat: nis
> hosts: files dns
> networks: files
> passwd: files winbind
> passwd_compat: nis
> shells: files
> services: compat
> services_compat: nis
> protocols: files
Can you try commenting out group_compat and passwd_compat?
The other thing to try would be running ktrace on getent and see what
it's doing.
Ivo Karabojkov
I noticed some error messages in log files too:
winbindd-idmap.log:
winbindd/idmap.c:idmap_init_passdb_domain(438)
Could not init passdb idmap domain
[2009/11/06 13:21:23, 0] winbindd/idmap.c:smb_register_idmap_alloc(201)
idmap_alloc module ldap already registered!
[2009/11/06 13:21:23, 0] winbindd/idmap.c:smb_register_idmap_alloc(201)
idmap_alloc module tdb already registered!
[2009/11/06 13:21:23, 0] winbindd/idmap.c:smb_register_idmap(149)
Idmap module passdb already registered!
winbindd.log
winbindd/idmap.c:smb_register_idmap(149)
Idmap module nss already registered!
[2009/11/06 13:21:33, 1] winbindd/winbindd_group.c:winbindd_getgrent(1366)
could not look up gid for group HelpServicesGroup
> This message repeats for all AD global groups and also AD users.
I also attach my ktrace output.
ktrace getent passwd
http://old.nabble.com/file/p26230478/ktrace.out ktrace.out
http://old.nabble.com/file/p26230478/ktrace.out ktrace.out
--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26230478.html
Ivo Karabojkov
Sorry I don't know what caused everyone to lose interest in my previous
post...
What may be the reason for the error:
winbindd/idmap.c:idmap_init_passdb_domain(438)
Could not init passdb idmap domain
Do I have to use LDAP backend for IDMAP? Is there something with rid?
Any help or advice would be appreciated!
--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26289538.html
Ivo Karabojkov
Ivo Karabojkov
Sorry I don't know what caused everyone to lose interest in my previous
post...
What may be the reason for the error:
winbindd/idmap.c:idmap_init_passdb_domain(438)
Could not init passdb idmap domain
I have another problem too:
winbindd/winbindd_user.c:winbindd_fill_pwent(97)
error getting user id for sid S-1-5..........
I tried adding passdb backend=tdbsam in my smb.conf but no result at all.
Do I have to use LDAP backend for IDMAP? Is there something with idmap:rid?
Dale Schroeder
> Sorry I don't know what caused everyone to lose interest in my previous
> post...
>
> What may be the reason for the error:
>
> winbindd/idmap.c:idmap_init_passdb_domain(438)
> Could not init passdb idmap domain
>
> I have another problem too:
> winbindd/winbindd_user.c:winbindd_fill_pwent(97)
> error getting user id for sid S-1-5..........
>
> I tried adding passdb backend=tdbsam in my smb.conf but no result at all.
> Do I have to use LDAP backend for IDMAP? Is there something with idmap:rid?
>
> Any help or advice would be appreciated!
>
the correct one. Try changing that, then see if there is any improvement.
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2606608
http://groups.google.com/group/mailing.unix.samba/browse_thread/thread/48cc0808ab6fee08
#idmap backend = idmap_rid:DOMAIN=10000-100000000 [*this is the correct
one*]
idmap backend = rid
# ldap ssl = no
idmap uid = 10000-100000000
idmap gid = 10000-100000000
allow trusted domains = No
winbind enum users = yes
winbind enum groups = yes
#
winbind refresh tickets = Yes
winbind nested groups = No
<http://groups.google.com/group/mailing.unix.samba/browse_thread/thread/48cc0808ab6fee08>
Ivo Karabojkov
Thank you very much for your reply!
I commented the correct line in my tries to get this working.
I have partial success WITHOUT idmap backend, with following smb.conf:
[global]
netbios name = SERVER
workgroup = DOMAIN
realm = DOMAIN.LOCAL
server string = Samba Server
security = ADS
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
# printcap name = CUPS
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
# template primary group = "Domain Users" // seems no longer supported
template shell = /sbin/nologin
# winbind separator = + // backslash is OK for me
# printing = cups
hosts allow = 192.168.1. 10.1.55. 127.0.0.1
interfaces = localhost, nfe0
bind interfaces only = Yes
[pub]
comment = Public
path = /var/samba/pub
guest ok = No
browseable = Yes
I can join the AD, see users with wbinfo -u and I can not find the users
with getent passwd!
I can still chown a folder stating "DOMAIN\user or group" and in ls -l
owner:group is displayed OK.
When I add:
idmap backend = idmap_rid:DOMAIN=10000-100000000
I get the warning: [2009/11/12 23:17:45, 1]
winbindd/idmap.c:parse_idmap_module(244)
idmap_init: idmap backend uses deprecated 'idmap_' prefix. Please replace
'idmap_rid:DOMAIN=10000-100000000' by 'rid:DOMAIN=10000-100000000'
Now I see only uid/gid for previously chowned directory, no users with
getent ... Changing the syntax according to message changes nothing.
winbindd log shows something like:
[2009/11/12 23:19:20, 1] winbindd/winbindd_group.c:getgrgid_recv(1015)
could not convert gid 10005 to sid
I have my partial success back commenting the idmap backend.
--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26326852.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
Ivo Karabojkov
Ivo Karabojkov
Ivo Karabojkov
Sorry for my triple answer, the message was rejected by the mailing list last
few days and I tried to resend it over and over again.
--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26354107.html
Ivo Karabojkov
So I kept "hitting my head in the wall" and here is my partial but satisfying
solution:
I was totally unable to get idmap_rid working! So I am using the default
IDMAP backend - tdb.
The problem with not working pw user / group show -a or getent passwd /
group was that nss_winbind.so was not where it supposed to. To correct this
I used:
ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/
ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2
Now all my users and groups are visible with pw or getent!
rid backend would give predictable sid <-> uid/gid mapping, with this
solution mapping changes every time server is joined to AD domain. But I
failed setting it up - it seems idmap_rid does not map anything...
If someone may help with better solution I will be grateful.
--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26466399.html
Diego Zuccato
> I was totally unable to get idmap_rid working! So I am using the default
> IDMAP backend - tdb.
Not good if you need that the same user receives the same UID on
different machines.
> The problem with not working pw user / group show -a or getent passwd /
> group was that nss_winbind.so was not where it supposed to. To correct this
> I used:
> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/
> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2
That's really ugly and shouldn't be needed on ANY distro. And it seems
you're looking for troubles (.1 and .2 IIRC have different ABI).
> Now all my users and groups are visible with pw or getent!
> rid backend would give predictable sid <-> uid/gid mapping, with this
> solution mapping changes every time server is joined to AD domain. But I
> failed setting it up - it seems idmap_rid does not map anything...
>
> If someone may help with better solution I will be grateful.
In my config I map users in two domains to different UID/GID values with
the following config:
winbind uid = 100000-100000000
winbind gid = 100000-100000000
idmap config DOM1:backend = rid
idmap config DOM1:base_rid = 500
idmap config DOM1:range = 100000 - 49999999
idmap config DOM2:backend = rid
idmap config DOM2:base_rid = 500
idmap config DOM2:range = 50000000 - 99999999
Maybe you need just:
winbind uid = 100000-100000000
winbind gid = 100000-100000000
idmap config backend = rid
And be sure to "testparm -v" any changes to smb.conf
--
Diego Zuccato
Servizi Informatici
Dip. di Astronomia - Università di Bologna
Via Ranzani, 1 - 40126 Bologna - Italy
tel.: +39 051 20 95786
mail: diego....@unibo.it
Daniel O'Connor
> > The problem with not working pw user / group show -a or getent
> > passwd / group was that nss_winbind.so was not where it supposed
> > to. To correct this I used:
> > ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/
> > ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2
>
> That's really ugly and shouldn't be needed on ANY distro. And it
> seems you're looking for troubles (.1 and .2 IIRC have different
> ABI).
Indeed, that certainly shouldn't be necessary..
I use nss/pam_ldap (on FreeBSD) and it works just fine living
in /usr/local/lib as you'd expect.
I don't know why you'd need nss_winbind.so.2 either.
Ivo Karabojkov
I am sure it should work without these strange links I've made.
I don't know what is the problem. I use ports, just to keep my installations
more standard.
May you point me a good manual how to set up nss/ldap with Samba?
Daniel O'Connor-2 wrote:
>
> Indeed, that certainly shouldn't be necessary..
>
> I use nss/pam_ldap (on FreeBSD) and it works just fine living
> in /usr/local/lib as you'd expect.
>
> I don't know why you'd need nss_winbind.so.2 either.
>
>
--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26476306.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
Daniel O'Connor
> I am sure it should work without these strange links I've made.
> I don't know what is the problem. I use ports, just to keep my
> installations more standard.
>
> May you point me a good manual how to set up nss/ldap with Samba?
I used the samba how to guide and googled, the net/smbldap-tools is
pretty helpful.
That said it wasn't especially simple to setup :(
However I don't use winbind on my FreeBSD machine, I use nss/pam_ldap
and Samba talks to the LDAP server as well.